Securing your WordPress site from unauthorized access is crucial to protecting your website from brute-force attacks and other malicious activities. One effective strategy is to use Cloudflare’s Web Application Firewall (WAF) to restrict access to sensitive endpoints like /wp-admin and /wp-login.php to specific IP addresses. Here’s how I set it up.
1. Create a Custom WAF Rule in Cloudflare
To restrict access to WordPress admin and login areas, I created a custom WAF rule:
- Navigate to the Custom Rules section in Cloudflare:
https://dash.cloudflare.com/<space>/<site>/security/waf/custom-rules. - Create a new rule with the following expression:
(http.request.uri.path contains "wp-login.php" or http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")
- Explanation of the rule:
- Blocks all traffic to
/wp-login.phpand/wp-admin/, except: - Requests to
/wp-admin/admin-ajax.php, which is required for many WordPress functions. - Requests to
/wp-admin/theme-editor.php, which you may want to allow if you’re using the theme editor.
- Blocks all traffic to
- Action: Set the action to Block by default for all traffic.
- Save the rule.
- check your site you should see /wp-admin and /wp-login.php give you an unauthorized access error.
2. Allow Access for Your IP Address
To ensure you can still access your site, whitelist your IP address:
- Go to the WAF Tools section in Cloudflare:
https://dash.cloudflare.com/<space>/<site>/security/waf/tools. - Add your public IP address to the Allowlist. This ensures you bypass the block rule when accessing
/wp-adminor/wp-login.php.
Benefits of This Configuration
- Improved Security: Blocks unauthorized access attempts to critical endpoints, protecting your site from brute-force attacks.
- Selective Access: Allows only authorized IP addresses to interact with admin areas while maintaining functionality for essential AJAX requests.
- Seamless Integration: Cloudflare handles the restrictions, so your server doesn’t have to process unnecessary traffic.
Final Thoughts
By leveraging Cloudflare’s WAF custom rules and tools, I was able to restrict access to my WordPress site’s most sensitive areas. This setup significantly reduces the attack surface while allowing me to manage my site securely from a known IP address.
If you’re managing a WordPress site, I highly recommend implementing this configuration to enhance your site’s security.
Leave a Reply